php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #56012 SECURITY: critical - bug system does not escape HTML in titles
Submitted: 2004-03-22 09:36 UTC Modified: 2004-03-23 02:24 UTC
From: alan at akbkhome dot com Assigned: mj (profile)
Status: Closed Package: PECL bug system (PECL)
PHP Version: 4.3.4 OS: na
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: alan at akbkhome dot com
New email:
PHP Version: OS:

 

 [2004-03-22 09:36 UTC] alan at akbkhome dot com
Description:
------------
submitting a bug to HTML_javascript produces a search result with a bug on Flexy that as <textarea> in the title..

- this appears as a text area..

- we are suceptable to cross site scripting!!!!!!!

** need to htmlspecialchars title !


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-03-22 20:34 UTC] danielc at analysisandsolutions dot com
The only place I found in bugs that presents the sdesc field unescaped is on line 87 of report.php, where $row['sdesc'] should be htmlspecialchars($row['sdesc']).

This section of code gets presented to the submittor once they initially submit a bug report and bugs are found that appear similar to the one they're trying to submit.

Is this where you saw the problem?
 [2004-03-23 01:23 UTC] alan at akbkhome dot com
yeap - thats the one
 [2004-03-23 02:24 UTC] mj@php.net
This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pear.php.net.

In case this was a pear.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PEAR better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 23:01:28 2024 UTC